Share this story

If you’re using Google’s “back up my data” feature for Android, the passwords to the Wi-Fi networks you access from your smartphone or tablet are available in plaintext to anyone with access to the data. And as a bug report submitted by an employee of the Electronic Frontier Foundation (EFF) on July 12 suggests, that leaves them wide open to harvesting by agencies like the NSA or the FBI.

“The ‘Back up my data’ option in Android is very convenient,” wrote Micah Lee, staff technologist at the EFF. “However, it means sending a lot of private information, including passwords, in plaintext to Google. This information is vulnerable to government requests for data.”

The Backup Manager app stores Android device settings in Google’s cloud, associated with the user account paired with the device; the Backup Manager interface is part of the core Android application API as well, so it can be used by other Android apps. Backup is turned on by default for Nexus devices and can push data such as MMS and SMS messages, browser bookmarks, call logs, and system settings—including Wi-Fi passwords—to Google’s cloud for retrieval in the event that a device is broken, lost, or stolen.

“Since backup and restore is such a useful feature, and since it's turned on by default,” wrote Lee, “it's likely that the vast majority of Android users are syncing this data with their Google accounts. Because Android is so popular, it's likely that Google has plaintext Wi-Fi passwords for the majority of password-protected Wi-Fi networks in the world.”

Most of those Wi-Fi networks have been mapped by Google as well. So it would be relatively trivial for an organization with access to backup data to match Wi-Fi network names and passwords with geolocation data. The result would be a partial map of where the targeted user has been as well as access to the networks his or her device has connected to in its travels.

Lee suggested that an easy fix to this privacy hole would be to encrypt the content of backups with a user’s Google credentials or a separate sync password. “I don't think it's rational to expect users to trust Google with their plaintext passwords when Google can be compelled to give this data to the US government when they request it,” he added.

Update: A Google spokesperson said in a conversation with Ars today that backup data is encrypted in transit from devices, and provided the following prepared statement from Google on the issue: “Our optional ‘Backup my data’ feature makes it easier to switch to a new Android device by using your Google Account and password to restore some of your previous settings. This helps you avoid the hassle of setting up a new device from scratch. At any point, you can disable this feature, which will cause data to be erased. This data is encrypted in transit, accessible only when the user has an authenticated connection to Google and stored at Google data centers, which have strong protections against digital and physical attacks.”

The spokesperson could not speak to how the data is encrypted in transit, or how the data was secured at rest.

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat